Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 13, 2021, 11:06 a.m.	Nov. 13, 2021, 11:08 a.m.

Size	3.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`96e4d115b0edc2d77fb7b447e11fda39`
SHA256	`e5975f25c103fae9d95d4652ec3b9e4c479d445d61c88f08354835b85e4b7546`
CRC32	`5C815C6E`
ssdeep	`49152:xJatr4BuNWIoFpyAFMcToCpTNUVFegJu9yv/PtcLPpH12d42Pkg+SLT0Xvm:xcrcVtJMSo+T2iuwyfWLPpH12dZkgt4O`
Yara	ASPack_Zero - ASPack packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

lianzhanst.exe "C:\Users\test22\AppData\Local\Temp\lianzhanst.exe"
2340

Name	Response	Post-Analysis Lookup
www.hzyotoy.com	A 218.12.76.164 A 218.12.76.163 A 120.52.95.235 A 120.52.95.234 CNAME www.hzyotoy.com.c.cdnhwc1.com CNAME hcdnw101.gslb.c.cdnhwc2.com	218.12.76.163
www.zhaost.com88
bdtg.hzyotoy.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.aspack
section	.adata

The executable uses a known packer (1 event)

packer

ASPack v2.12 -> Alexey Solodovnikov

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	PNG
resource name	None

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 13, 2021, 11:06 a.m.	stacktrace: lianzhanst+0x9a03d @ 0x49a03d exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec exception.symbol: lianzhanst+0x46616 exception.address: 0x446616 exception.module: lianzhanst.exe exception.exception_code: 0xc000001d exception.offset: 288278 registers.esp: 1613860 registers.edi: 15 registers.eax: 1 registers.ebp: 1613916 registers.edx: 582600 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0
__exception__ Nov. 13, 2021, 11:06 a.m.	stacktrace: lianzhanst+0x9a046 @ 0x49a046 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45 exception.symbol: lianzhanst+0x466d5 exception.instruction: in eax, dx exception.module: lianzhanst.exe exception.exception_code: 0xc0000096 exception.offset: 288469 exception.address: 0x4466d5 registers.esp: 1613860 registers.edi: 15 registers.eax: 1447909480 registers.ebp: 1613916 registers.edx: 22104 registers.ebx: 0 registers.esi: 1 registers.ecx: 10	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 13, 2021, 11:06 a.m.	total_number_of_free_bytes: 10233167872 free_bytes_available: 10233167872 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (50 out of 146 events)

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

name

PNG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00568890

size

0x00003aa8

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 13, 2021, 11:06 a.m.	snapshot_handle: 0x0000017c process_name: mobsync.exe process_identifier: 304	1	1
Process32NextW Nov. 13, 2021, 11:06 a.m.	snapshot_handle: 0x0000017c process_name: pw.exe process_identifier: 2060	1	1
Process32NextW Nov. 13, 2021, 11:06 a.m.	snapshot_handle: 0x0000017c process_name: wsqmcons.exe process_identifier: 2120	1	1
Process32NextW Nov. 13, 2021, 11:06 a.m.	snapshot_handle: 0x0000017c process_name: taskhost.exe process_identifier: 2164	1	1
Process32NextW Nov. 13, 2021, 11:06 a.m.	snapshot_handle: 0x0000017c process_name: cmd.exe process_identifier: 2272	1	1
Process32NextW Nov. 13, 2021, 11:06 a.m.	snapshot_handle: 0x0000017c process_name: conhost.exe process_identifier: 2280	1	1
Process32NextW Nov. 13, 2021, 11:06 a.m.	snapshot_handle: 0x0000017c process_name: pw.exe process_identifier: 2360	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 13, 2021, 11:06 a.m.	flags: 16 family: 2		111	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00084600', u'virtual_address': u'0x00001000', u'entropy': 7.9994366603654985, u'name': u'.text', u'virtual_size': u'0x0018a000'}

entropy

7.99943666037

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00016c00', u'virtual_address': u'0x0018b000', u'entropy': 7.994289631196229, u'name': u'.rdata', u'virtual_size': u'0x00056000'}

entropy

7.9942896312

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00003000', u'virtual_address': u'0x001e1000', u'entropy': 7.970595544424795, u'name': u'.data', u'virtual_size': u'0x00023000'}

entropy

7.97059554442

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x002e7e00', u'virtual_address': u'0x00205000', u'entropy': 7.9991724543776375, u'name': u'.rsrc', u'virtual_size': u'0x00372000'}

entropy

7.99917245438

description

A section with a high entropy has been found

entropy

0.992708763241

description

Overall entropy of this PE file is high

Detects virtualization software with SCSI Disk Identifier trick(s) (3 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
registry	HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
registry	HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusA Nov. 13, 2021, 11:06 a.m.	service_handle: 0x00ae9808 service_type: 59 service_status: 3		0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 13, 2021, 11:06 a.m.	stacktrace: lianzhanst+0x9a046 @ 0x49a046 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45 exception.symbol: lianzhanst+0x466d5 exception.instruction: in eax, dx exception.module: lianzhanst.exe exception.exception_code: 0xc0000096 exception.offset: 288469 exception.address: 0x4466d5 registers.esp: 1613860 registers.edi: 15 registers.eax: 1447909480 registers.ebp: 1613916 registers.edx: 22104 registers.ebx: 0 registers.esi: 1 registers.ecx: 10	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.Win32.Convagent.i!c
MicroWorld-eScan	Trojan.GenericKD.47377109
ALYac	Trojan.GenericKD.47377109
Arcabit	Trojan.Generic.D2D2EAD5
ClamAV	Win.Trojan.Qqpass-9908376-0
Kaspersky	VHO:Trojan-PSW.Win32.Convagent.gen
BitDefender	Trojan.GenericKD.47377109
NANO-Antivirus	Trojan.Win32.QQPass.frlinx
Ad-Aware	Trojan.GenericKD.47377109
DrWeb	Trojan.DownLoader34.49495
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.47377109
Emsisoft	Trojan.GenericKD.47377109 (B)
Ikarus	Trojan.MSIL.Cryptor
Gridinsoft	Trojan.Win32.QQpass.vb!s1
GData	Trojan.GenericKD.47377109
McAfee	Artemis!96E4D115B0ED
MAX	malware (ai score=81)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Spyware.PasswordStealer
Fortinet	W32/PossibleThreat

lianzhanst.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All